b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n         Evaluation of U.S. Chemical\n         Safety and Hazard Investigation\n         Board\xe2\x80\x99s Compliance with the\n         Federal Information Security\n         Management Act (FISMA) for\n         Fiscal Year 2005\n         Report 2005-2-00030\n\n         September 28, 2005\n\x0c                        U.S. Environmental Protection Agency                                           2005-2-00030 \n\n                                                                                                  September 28, 2005\n\n                        Office of Inspector General\n\n\n                        At a Glance \n\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review            Evaluation of U.S. Chemical Safety and Hazard\nWe sought to determine            Investigation Board\xe2\x80\x99s Compliance with the\nwhether the U.S. Chemical         Federal Information Security Management Act\nSafety and Hazard\nInvestigation Board\xe2\x80\x99s (CSB)       (FISMA) for Fiscal Year 2005\ninformation security program\ncomplies with the Federal          What We Found\nInformation Security\nManagement Act (FISMA) for        The U.S. Chemical Safety and Hazard Investigation Board (CSB) took significant\nFiscal Year 2005.\n                                  actions to fill two critical vacancies. The appointments of the Chief Information\n                                  Officer and the Information Technology Manager placed much needed attention\nBackground\n                                  on CSB\xe2\x80\x99s information security program. However, the 7- and\n                                  5-month delays in the respective appointments hampered CSB\xe2\x80\x99s ability to initiate\nThe Office of Inspector\n                                  actions to address significant deficiencies noted during the Fiscal Year 2004\nGeneral (OIG) contracted\n                                  Federal Information Security Management Act (FISMA) evaluation.\nKPMG, LLP (KPMG) to\n                                  Consequently, CSB did not remediate Fiscal Year 2004 weaknesses that are\nassist in performing the Fiscal\n                                  reported as repeat deficiencies in this year\xe2\x80\x99s evaluation. Although CSB has hired\nYear 2005 FISMA\n                                  a contractor to assist them in correcting many of the identified weaknesses and\nindependent evaluation of the\n                                  created a timetable to alleviate their vulnerabilities, we found that CSB had not:\nCSB information security\nprogram and practices. This\n                                  \xe2\x80\xa2\t Certified and accredited any of its information systems. In addition, CSB has\nevaluation adheres to the\n                                     not categorized its information systems in accordance with the National\nOffice of Management and\n                                     Institute of Standards and Technology (NIST) Federal Information Processing\nBudget reporting guidance for\n                                     Standard 199, nor reviewed using security guidance contained in NIST Special\nmicro-agencies, which CSB is\n                                     Publications 800-26 and 800-53.\nconsidered.\n                                  \xe2\x80\xa2\t Addressed long-standing weaknesses in implementing security controls such as\n                                     completing risk assessments, implementing file and e-mail encryption, and\nFor further information,             establishing software patch management system. In addition, this year\xe2\x80\x99s\ncontact our Office of                evaluation identified that CSB needs to make improvements in testing its\nCongressional and Public             contingency plans, documenting security configuration standards, completing\nLiaison at (202) 566-2391.           e-authentication risk assessments, testing security controls, and performing\nTo view the full report,\n                                     sufficient oversight for its contractor-operated system to ensure the system\nclick on the following link:         meets FISMA requirements.\n\nwww.epa.gov/oig/reports/2005/     \xe2\x80\xa2\t Approved its new security incident handling procedures, although some\n20050928-2005-2-00030.pdf\n                                     components of the procedures are in use.\n\x0c                    UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                      OFFICE OF \n\n                                                                                 INSPECTOR GENERAL\n\n\n\n                                      September 28, 2005\n\nMEMORANDUM\n\nSUBJECT:              Evaluation of U.S. Chemical Safety and Hazard Investigation Board\xe2\x80\x99s\n                      Compliance with the Federal Information Security Management Act\n                      (FISMA) for Fiscal Year 2005\n                      Report No. 2005-2-00030\n\nFROM:                 Rudolph M. Brevard /s/\n                      Acting Director, Business Systems Audits\n\nTO:                   The Honorable Carolyn W. Merritt\n                      Chairman and Chief Executive Officer\n                      U.S. Chemical Safety and Hazard Investigation Board\n\n\nAttached is KPMG\xe2\x80\x99s LLP final report on the above subject area. This report synopsizes the\nresults of information technology security work performed by KPMG on behalf of the U.S.\nEnvironment Protection Agency\xe2\x80\x99s Office of Inspector General (OIG). The report also includes\nKPMG\xe2\x80\x99s completed Fiscal Year 2005 FISMA Reporting Template, as prescribed by the Office\nof Management and Budget (OMB).\n\nIn accordance with OMB reporting instructions, the OIG is forwarding this report to you for\nsubmission, along with your Agency\xe2\x80\x99s required information, to the Director, OMB.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor William Coker at (202) 566-2553\n\x0cEvaluation Report\n\n\n\n\n\n Evaluation of U.S. Chemical Safety and Hazard\n   Investigation Board\xe2\x80\x99s Compliance with the\n Federal Information Security Management Act\n         (FISMA) for Fiscal Year 2005\n\n\n\n\n                     September 28, 2005\n\x0cAbbreviations\n\nC&A         Certification and Accreditation\n\nCIO         Chief Information Officer\n\nCSB         United States Chemical Safety and Hazard Investigation Board\n\nEPA         Environmental Protection Agency\n\nFedCIRC     Federal Computer Incident Response Center\n\nFIPS        Federal Information Processing Standard\n\nFISMA       Federal Information Security Management Act\n\nIATO        Interim Authority to Operate\n\nITM         Information Technology Manager\n\nISO         Information Security Officer\n\nNIST        National Institute of Standards and Technology\n\nOCFO        Office of the Chief Financial Officer\n\nOIG         Office of Inspector General\n\nOMB         Office of Management and Budget\n\nPOA&M       Plan of Action and Milestones\n\nSP          Special Publication\n\x0cSeptember 28, 2005\n\n\n\n\nMr. Rudolph M. Brevard\nActing Director for Business Systems Audits\nU.S. Environmental Protection Agency\nOffice of Inspector General\nMail Code 2421T\n1200 Pennsylvania Avenue, NW\nWashington, DC 20460\n\nRe: Transmittal of the Evaluation of U.S. Chemical Safety and Hazard\nInvestigation Board\xe2\x80\x99s Compliance with the Federal Information Security\nManagement Act (FISMA) for Fiscal Year 2005.\nContract No: GS-23F-8127H\n\n\nDear Mr. Brevard:\n\nThank you for providing KPMG LLP (KPMG) with the opportunity to assist the U.S.\nEnvironmental Protection Agency (EPA) Office of Inspector General (OIG) in performing the\nevaluation of the U.S. Chemical Safety and Hazard Investigation Board\xe2\x80\x99s (CSB) compliance\nwith the Federal Information Security Management Act (FISMA) for Fiscal Year 2005.\nWe are pleased to present our final evaluation report for the CSB\xe2\x80\x99s compliance with FISMA\nduring Fiscal Year 2005. The delivery of this report concludes our obligations under Purchase\nOrder number 4W-3271-NBLX. Pursuant to the Purchase Order, we will issue our final invoice\nfor this engagement.\nWe have enjoyed working with you and your staff and look forward to continuing to provide the\nEPA OIG with quality services. For further information regarding this report, contact the EPA\nOIG Office of Congressional and Public Liaison at (202) 566-2391.\n\nVery Truly Yours,\n\x0c                Table of Contents\n\n\nChapters\n\n   1   Executive Summary\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..2\n\n\n   2   Results of Independent Evaluation...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa65\n\n            Objective 1, Evaluate a Representative Subset of \n\n            Systems\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 \xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....5 \n\n            Objective 2, Actual Performance by Risk Impact \n\n            Level\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa65 \n\n            Objective 3, Oversight of Contractor Systems, and Agency System \n\n            Inventory\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa66 \n\n            Objective 4, Plan of Action and Milestones Status..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....\xe2\x80\xa6.7 \n\n            Objective 5, Agency Certification and Accreditation Process..\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...8 \n\n            Objective 6, Agency Wide Security Configuration \n\n            Policy\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6....9 \n\n            Objective 7, Incident Reporting Procedures.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6..10 \n\n            Objective 8, Security Training and Awareness \n\n            Program\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6....10 \n\n            Objective 9, Peer-to-Peer File Sharing Policy\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..10 \n\n            CSB Privacy Program\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6..11 \n\n\n\n\nAppendices\n   A   Reporting Requirements for Micro-Agencies\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..12 \n\n\n   B   Documentation Used for Evaluation\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..14 \n\n\x0c                                   Chapter 1\n\n                               Executive Summary\n\nIntroduction\n     The Office of Inspector General (OIG) tasked KPMG LLP (KPMG) to assist in\n     performing the FY 2005 Federal Information Security Management Act (FISMA)\n     independent evaluation of the United States Chemical Safety and Hazard Investigation\n     Board\xe2\x80\x99s (CSB) information security program and practices. CSB is a small federal entity\n     and as a result, does not have an information security program and related practices\n     comparable to those of larger federal entities; this has been taken into account during the\n     evaluation.\n\n     To perform the independent evaluation, we requested documentation related to prior CSB\n     audits, security evaluations, security program reviews, vulnerability assessments, and\n     other reports addressing CSB\xe2\x80\x99s information security program and practices. In addition,\n     documentation supporting security training, security-related information technology (IT)\n     capital planning efforts, memoranda regarding information security policies, and plans\n     for future information security assessments was reviewed. Appendix B of this report lists\n     the documents reviewed as part of this evaluation. Through inspection of the\n     documentation received and inquiry with CSB personnel, we evaluated CSB\xe2\x80\x99s progress in\n     meeting Office of Management and Budget\xe2\x80\x99s (OMB) FISMA performance measures.\n\nReporting Requirements\n     OMB has issued FISMA reporting guidance for \xe2\x80\x9cmicro-agencies\xe2\x80\x9d, which OMB defines\n     as an agency with fewer than 100 employees. CSB meets the OMB criteria for a micro-\n     agency and the required reporting template is included at Appendix A. In addition, the\n     EPA OIG requested that KPMG review the CSB information security program in more\n     detail than required for the FISMA micro-agency reporting guidance. Consequently, this\n     report contains additional details on our observations regarding CSB\xe2\x80\x99s information\n     security program.\n\nResults in Brief\n     The CSB IT department underwent significant changes during FY 2005. An Information\n     Technology Manager (ITM), the CSB equivalent to an Information Security Officer\n     (ISO), was appointed in March 2005, filling a vacancy that existed in that position since\n     October 2004. Additionally, during FY 2005, CSB appointed a Chief Information\n     Officer (CIO). Although filling these key security positions were positive steps, the\n     delays in making these appointments hampered CSB\xe2\x80\x99s ability to addresses significant\n\n\n\n                                             - 2 -\n\n\x0cdeficiencies noted in the FY 2004 FISMA evaluation, which consequently resulted in the\noccurrence of these significant deficiencies in the FY 2005 FISMA review.\n\nUnder the direction of the CIO and the ITM, CSB hired a contractor to assist the Agency\nin correcting many of the identified security weaknesses. CSB\xe2\x80\x99s aggressive action has\nresulted in tangible steps to mitigate most of the FY 2005 deficiencies by the end of the\ncalendar year. Below is the status of CSB\xe2\x80\x99s significant deficiencies and additional details\nare in Chapter 2:\n\n\xe2\x80\xa2\t OIG-IT-01 \xe2\x80\x93 Security Certification and Accreditation (C&A). Although CSB\n   issued an Interim Authority to Operate (IATO) for its three systems, CSB had not\n   certified or accredited their systems. Additionally, CSB had not categorized its\n   systems in accordance with National Institute of Standards and Technology (NIST)\n   Federal Information Processing Standard (FIPS) 199, or reviewed the systems using\n   security guidance contained in NIST Special Publications 800-26 and 800-53. CSB\n   officials indicated that the Agency would complete this task by the end of the\n   calendar year after the installation of new servers and the assessment of other\n   identified weaknesses. In addition, CSB indicated that the ITM would complete the\n   required NIST 800-26 self-assessment by end of FY 2005.\n\n\xe2\x80\xa2\t OIG-IT-02 \xe2\x80\x93 Security Control Implementation. CSB has not addressed prior year\n   security control implementation significant deficiencies. These include the lack of a\n   complete IT risk assessment, lack of technical security controls such as file and e-mail\n   encryption, and lack of an agency-wide software patch management system.\n\n   During the FY 2005 FISMA evaluation, we identified the following additional issues\n   that contribute to CSB\xe2\x80\x99s significant deficiency around security control\n   implementation:\n\n       \xc2\xbe CSB has not tested its contingency plan within the past year;\n       \xc2\xbe A documented security configuration policy for CSB networks has not been\n         implemented;\n       \xc2\xbe E-Authentication risk assessments have not been conducted;\n       \xc2\xbe Two of the three CSB systems have not had their security controls tested\n         within the past year; and\n       \xc2\xbe CSB did not perform sufficient oversight for its contractor systems to ensure\n         the systems meet FISMA requirements.\n\n   CSB officials concurred with the findings in this area and took steps to address many\n   of the significant deficiency. CSB obtained contractor support to: (1) review some of\n   the FY 2004 findings and (2) provide recommendations on mitigating the weakness.\n   CSB officials provided action plans to mitigate weaknesses in its Annual Self-\n   Assessment, Risk Assessment, Technical Security Controls, and Patch Management\n   processes by October 2005. CSB also indicated the Agency would update security\n   plans by December 2005. In addition, with the implementation of a new system\n   infrastructure, CSB indicated it would complete the update of its contingency plans by\n\n\n\n                                        - 3 -\n\n\x0c   March 2006. Although CSB provided steps for improving its e-authentication risk\n   assessment and oversight of contractor system process, CSB did not indicated when it\n   would complete these activities.\n\n\xe2\x80\xa2\t OIG-IT-03 \xe2\x80\x93 Security Training. During FY 2005, CSB implemented a security\n   awareness-training program for its employees, thereby, eliminating a long-standing\n   significant deficiency reported in the FY 2003 and FY 2004 FISMA evaluations.\n   However, CSB\xe2\x80\x99s security-awareness training does not include information regarding\n   peer-to-peer file sharing. In response to this finding, CSB indicated it would address\n   this weakness in a separate notification to all staff and update the security-awareness\n   training material.\n\n\xe2\x80\xa2\t OIG-IT-04 \xe2\x80\x93 Security Program Management. CSB was without a formally\n   appointed ITM from October 2004 through March 2005. During that time, the\n   required FISMA Plan of Action and Milestones (POA&M) was not submitted to\n   OMB. Additionally, CSB had not prioritized the weaknesses identified in the\n   POA&M, which is a key step for addressing the weaknesses. CSB concurred with\n   this finding and indicated the Agency prioritized the weaknesses in its September\n   2005 POA&M submission to OMB.\n\n\xe2\x80\xa2\t OIG-IT-05 \xe2\x80\x93 Security Incident Handling. CSB has not approved its incident\n   handling procedures. During FY 2005, CSB developed new procedures for incident\n   handling, but had not approved the procedures. CSB concurred with this finding and\n   indicated it would approve the new procedures by October 31, 2005.\n\n\n\n\n                                       - 4 -\n\n\x0c                                            Chapter 2\n                           Results of Independent Evaluation\n                     Objective 1\n\n                     Evaluate a representative subset of systems, including information systems\n                     used or operated by an agency or by a contractor of an agency or other\n                     organization on behalf of an agency. By FIPS 199 risk impact level (high,\n                     moderate, low, or not categorized) and by bureau, identify the number of\n                     systems reviewed in this evaluation for each classification below.\n\n                                                                     Total Number of Agency\n                              FIPS 199 Categorization                and Contractor Systems      Number Evaluated\n                                                                  Agency Systems\n                       Not Categorized                                           2                        0\n                                                                 Contractor Systems\n                       Not Categorized                                           1                        0\n                       Total Systems Not FIPS 199\n                       Categorized                                             3                           0\n\n                     CSB has not categorized their three systems according to the FIPS 1991\n                     criteria, nor has CSB evaluated the systems against NIST Special Publication\n                     800-262 or 800-533. To their credit, CSB management has contracted out the\n                     tasks needed to complete the FIPS 199 categorization. For FY 2006, CSB\n                     plans to consolidate the three systems into one general support system (GSS).\n                     Finding OIG-IT-01\n\n                     Objective 2\n\n                     Identify actual performance in FY 05 by risk impact level and bureau.\n                     From the representative subset of systems evaluated, identify the number\n                     of systems which have completed the following: have a current\n                     certification and accreditation, a contingency plan tested within the past\n                     year, and security controls tested within the past year.\n\n\n\n1\n  FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, sets standards\nfor security categorization of information and information systems through the use of standardized security\nobjectives and ranking criteria.\n2\n  NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, provides an extensive\nquestionnaire containing specific control objectives and techniques against which an unclassified system or group of\ninterconnected systems can be tested and measured.\n3\n  NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides guidelines for\nselecting and specifying security controls for information systems supporting the executive agencies of the federal\ngovernment.\n\n\n                                                        - 5 -\n\n\x0c                  Security category                     Total Number        Number Reviewed\n     Total number certified and accredited                    0                    0\n     Total number with controls evaluated                     1                    0\n     Total number with contingency plan tested                0                    0\n\nAlthough all of CSB\xe2\x80\x99s three systems have an IATO, none of the systems have\nbeen certified and accredited. The IATO authorization covers a two-year\nperiod from September 30, 2004. CSB has obtained contractor support to help\naddress these issues. At the time of our FY 2005 FISMA evaluation, the\ncontractor was in the process of conducting a security control evaluation\nassessment for the systems, which is a key element of a C&A. Finding OIG\nIT-01\n\nAdditionally, CSB has not evaluated the security controls on two of its three\nsystems nor had CSB tested its contingency plan within the past year. Finding\nOIG-IT-02\n\nObjective 3\n\nEvaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system\ninventory.\n\n             Evaluate the status of the following                       Results:\n    a. The agency performs oversight and evaluation to\n    ensure information systems used or operated by a         No formal evaluations have\n    contractor of the agency or other organization on        been conducted on CSB\n    behalf of the agency meet the requirements of FISMA,     contractor systems or\n    OMB policy and NIST guidelines, national security        information security controls\n    policy, and agency policy.                               and processes.\n    b. The agency has developed an inventory of major\n    information systems (including major national security\n    systems) operated by or under the control of such        CSB maintains a complete list\n    agency, including an identification of the interfaces    of all systems, including those\n    between each such system and all other systems or        operated by contractors. CSB\n    networks, including those not operated by or under the   has no national security\n    control of the agency.                                   systems.\n                                                             OIG agrees with the CIO\xe2\x80\x99s\n                                                             classification of systems and\n                                                             is aware of efforts to\n    c. The OIG generally agrees with the CIO on the          consolidate systems into one\n    number of agency owned systems.                          GSS.\n    d. The OIG generally agrees with the CIO on the\n    number of information systems used or operated by a\n    contractor of the agency or other organization on\n    behalf of the agency.                                    Yes\n    e. The agency inventory is maintained and updated at\n    least annually.                                          Yes.\n\n\n                                - 6 -\n\n\x0c              Evaluate the status of the following                       Results:\n                                                               No E-authentication risk\n    f. The agency has completed system e-authentication        assessments have been\n    risk assessments.                                          conducted.\n\nThe CSB ITM currently performs oversight for the Recommendation and\nTechnical Solution System. Contractors administer and maintain this system\nand report directly to the CSB ITM. However, CSB does not oversee and\nevaluate the system to ensure compliance with FISMA requirements. Finding\nOIG-IT-02\n\nCSB has consolidated its IT inventory into a Microsoft Access database. Using\nthe database, CSB has the ability to query specific IT equipment. CSB updates\nthe access database at least annually and when any changes/deletions are\nneeded.\n\nCSB has notified the EPA OIG of the number of systems operational at CSB,\nand the EPA OIG is in agreement with the number of systems. CSB\nmanagement has proposed to consolidate the three current systems into one\nGSS and the OIG concurs.\n\nObjective 4\n\nAssess whether the agency has developed, implemented, and is managing\nan agency wide plan of action and milestone (POA&M) process.\n\n              Evaluate the status of the following                        Results:\n                                                               Yes. The CSB POA&M\n                                                               process appears to be an\n                                                               agency wide process that has\n                                                               incorporated all known IT\n                                                               security weaknesses. The\n                                                               CSB POA&M contains\n                                                               weaknesses, points of contact\n                                                               (POCs), required resources,\n     a. The POA&M is an agency wide process,                   scheduled completion dates,\n    incorporating all known IT security weaknesses             milestones, milestone\n    associated with information systems used or operated       changes, how the weakness\n    by the agency or by a contractor of the agency or other    was identified, and the status\n    organization on behalf of the agency.                      of weaknesses.\n                                                               Yes. All IT security\n    b. When an IT security weakness is identified, program     weaknesses identified by the\n    officials (including CIOs, if they own or operate a        program officials are\n    system) develop, implement, and manage POA&Ms              incorporated and managed by\n    for their system(s).                                       the CSB POA&M.\n                                                               Yes. Contractors report\n    c. Program officials, including contractors, report to     weekly and the remaining\n    the CIO on a regular basis (at least quarterly) on their   Program Officials and\n    remediation progress.                                      Contractors report directly to\n\n\n\n                                  - 7 -\n\n\x0c              Evaluate the status of the following                    Results:\n                                                            CSB security management,\n                                                            who reports to the CIO.\n                                                            Yes. CSB tracks, maintains,\n    d. CIO centrally tracks, maintains, and reviews         and reviews POA&M\n    POA&M activities on at least a quarterly basis.         activities on a quarterly basis.\n                                                            Yes. CSB\xe2\x80\x99s POA&M\n                                                            identifies where the\n                                                            weaknesses were identified\n    e. OIG findings are incorporated into the POA&M         and clearly states which were\n    process.                                                found by the OIG.\n                                                            No. The CSB POA&M\n                                                            process does not prioritize the\n                                                            IT security weaknesses. CSB\n    f. POA&M process prioritizes IT security weaknesses     management explained that\n    to help ensure significant IT security weaknesses are   all of the IT security\n    addressed in a timely manner and receive appropriate    weaknesses are addressed\n    resources.                                              concurrently.\n\nThe ITM is responsible for the development, implementation, and management\nof the agency wide FISMA POA&M process. The ITM utilizes the POA&M\nto ensure that control weaknesses, from prior audits/reviews, are addressed and\ncorrected. The ITM, in coordination with the CIO, develops, implements, and\nmanages POA&Ms for the CSB systems. Although CSB is required to report\nits POA&M progress to OMB on a quarterly basis, CSB last submitted a\nPOA&M to OMB in March 2004. The lack of timely POA&M submissions is\nbecause CSB did not fill the ITM position between October 2004 and March\n2005.\n\nThe POA&M is the authoritative agency management tool used to identify and\nmonitor agency security weaknesses. CSB has an updated POA&M and uses it\nfor tracking corrective actions. Inspection of the current POA&M and\ndiscussions with the ITM showed that CSB had not prioritized its IT security\nweaknesses on the POA&M. Consequently, CSB may not timely address\ncritical weaknesses. In response to this finding, CSB indicated the Agency had\nprioritized the weaknesses in its September 2005 POA&M submission to\nOMB. Finding OIG-IT-04\n\nObjective 5\n\nAssess the overall quality of the agency\xe2\x80\x99s C&A process.\n\nAs stated in the FY 2003 and FY 2004 CSB FISMA evaluations, CSB\xe2\x80\x99s\nsystems have not been fully certified and accredited. During the course of FY\n2004 and 2005, CSB issued an IATO for each of its systems, which authorizes\nthe systems to operate for the period of two years from September 30, 2004. In\naddition, CSB has obtained contractor assistance to support its certification and\naccreditation (C&A) efforts. At the time of our FY 2005 FISMA evaluation,\n\n\n                                 - 8 -\n\n\x0cthe contractor had completed the initial task of conducting a server audit to\nsupport the C&A process; however, the process is not complete. Finding\nOIG-IT-01\n\nObjective 6\n\nEvaluate the status of the following:\n    a. Is there an agency wide security configuration policy?\n    b. Identify which software is addressed in the agency wide security\n       configuration policy. In addition, approximate the extent of\n       implementation of the security configuration policy on the systems\n       running the software.\n\nCSB does not currently have an agency wide security configuration policy. In\naddition, CSB has not implemented an agency-wide software patch\nmanagement program and has hired a contractor to correct this deficiency.\n\nDuring our vulnerability test of CSB\xe2\x80\x99s external and internal network\ninfrastructure, we noted the following:\n\n\xe2\x80\xa2\t Externally, CSB has implemented a fail-over firewall configuration to filter\n   out unnecessary network traffic. This firewall mitigates most risks\n   originating from the Internet. However, we noted several vulnerabilities on\n   CSB\xe2\x80\x99s external web servers that could be used to gain unauthorized access.\n   This occurred because CSB had not:\n\n    \xc2\xbe updated system software with the latest patches/fixes, or\n\n    \xc2\xbe\t disabled unnecessary services/program features.\n\n\xe2\x80\xa2\t Internally, our testes identified vulnerabilities that could possibly lead to\n   unauthorized access. This occurred because CSB had not:\n\n    \xc2\xbe\t updated system software with the latest patches/fixes,\n\n    \xc2\xbe secured blank system administration account passwords on \n\n      workstations, or \n\n\n    \xc2\xbe\t removed obsolete accounts from the CSB network. For example, we\n       identified 11 user accounts where the user has not logged-on in more\n       than 180 days. Finding OIG-IT-02\n\n\n\n\n                              - 9 -\n\n\x0cObjective 7\n\nEvaluate the degree to which the following statements reflect the status:\n    a. The agency follows defined policies and procedures for reporting\n       incidents internally.\n    b. The agency follows defined policies and procedures for external\n       reporting to law enforcement authorities.\n    c. The agency follows defined procedures for reporting to the Federal\n       Computer Incident Response Center (FedCIRC) as established by\n       US-CERT. http://www.us-cert.gov.\n\nCSB\xe2\x80\x99s incident reporting program requires the ITM to be informed after: 1) a\nsecurity violation has occurred, or 2) if the user suspects that there has been a\nsecurity violation. CSB\xe2\x80\x99s main incident reporting process follows US-CERT\ncriteria. CSB has not approved its incident reporting process, but plans to\napprove the process and procedures during FY 2006.\n\nDuring FY 2005, CSB had one computer incident related to malicious code.\nCSB did not notify US-CERT or any external reporting authority because the\nmalicious code was not widespread across the agency. Finding OIG-IT-05\n\nObjective 8\n\nHas the agency ensured security training and awareness of all employees,\nincluding contractors and those employees with significant IT security\nresponsibilities?\n\nDuring FY 2005, CSB implemented a security awareness-training program for\nits employees, thereby, eliminating a long-standing significant deficiency\nreported in the FY 2003 and FY 2004 FISMA evaluations. However, the\ntraining material does not include information regarding peer-to-peer file\nsharing. Additionally, at the time of our FY 2005 FISMA review, CSB\xe2\x80\x99s ITM\ndid not have adequate security training to perform his duties. However, the\nITM has registered for several IT security classes and seminars for early in FY\n2006.\n\nObjective 9\n\nDoes the agency explain policies regarding peer-to-peer file sharing in IT\nsecurity awareness training, ethics training, or any other agency wide\ntraining?\n\nAs previously stated, CSB\xe2\x80\x99s security training materials do not currently contain\ninformation on peer-to-peer file sharing. To mitigate this deficiency, CSB\nofficial indicated the Agency would prepare a separate notification for current\nemployees, and will include specific guidance on peer-to-peer file sharing in\nupdated security awareness documentation.\n\n\n                              - 10 -\n\n\x0cCSB Privacy Program\n\nOMB encourages IGs to provide any meaningful data they have regarding\nthe agency\'s privacy program and related activities.\n\nCSB has not developed any privacy specific processes or programs.\nAccordingly, the OIG has not received any meaningful data and therefore is\nnot able to provide any privacy results for FY 2005.\n\n\n\n\n                           - 11 -\n\n\x0c                                                                                        Appendix A\n\nU.S. Chemical Safety and Hazard Investigation Board\n                FY05 FISMA Report \n\n\n                 Micro Agency Reporting Template - IG or Independent Evaluator.\n\nThis template should be used by micro-agencies (less than 100 employees) to report to OMB on\n FISMA Compliance. This template should be submitted to OMB (fisma@omb.eop.gov) no later\n than October 7, 2005, in accordance with OMB Memo M-05-15 "FY 2005 Reporting Instructions\n    for the Federal Information Security Management Act and Agency Privacy Management."\n\n   If a micro-agency does not have an IG, Section C requirements should be completed by an\n                                    independent evaluator.\n\n   Please attach any reports or observations from the independent assessment at the time of\n                                 template submission to OMB.\n\n\n\n              Name of Agency: U.S. Chemical Safety and Hazard Investigation Board\n                                      Date: 09/28/2005\n\n\nAgency systems:                                                                             2\nNumber of agency systems evaluated - by FIPS-199\ncategorization (high impact, medium impact, low impact, or not\nyet categorized)                                                 High Impact:               0\n                                                                 Moderate Impact:           0\n                                                                 Low Impact:                0\n                                                                 Not yet categorized:       2\nOf those systems evaluated, number of agency systems certified\nand accredited, by FIPS-199 categorization                       High Impact:               0\n                                                                 Moderate Impact:           0\n                                                                 Low Impact:                0\n                                                                 Not yet categorized:       0\nOf those systems evaluated, number of agency systems with\nsecurity controls tested FY05, by FIPS-199 categorization        High Impact:               0\n                                                                 Moderate Impact:           0\n                                                                 Low Impact:                0\n                                                                 Not yet categorized:       0\nOf those systems evaluated, number of agency systems with\ntested contingency plans, by FIPS-199 categorization             High Impact:               0\n                                                                 Moderate Impact:           0\n                                                                 Low Impact:                0\n                                                                 Not yet categorized        0\n\n\n\n\n                                                - 12 -\n\n\x0c                 Micro Agency Reporting Template - IG or Independent Evaluator.\n\nThis template should be used by micro-agencies (less than 100 employees) to report to OMB on\n FISMA Compliance. This template should be submitted to OMB (fisma@omb.eop.gov) no later\n than October 7, 2005, in accordance with OMB Memo M-05-15 "FY 2005 Reporting Instructions\n    for the Federal Information Security Management Act and Agency Privacy Management."\n\n   If a micro-agency does not have an IG, Section C requirements should be completed by an\n                                    independent evaluator.\n\n   Please attach any reports or observations from the independent assessment at the time of\n                                 template submission to OMB.\n\n\n\n              Name of Agency: U.S. Chemical Safety and Hazard Investigation Board\n                                      Date: 09/28/2005\n\n\n\nContractor systems:                                                                     1\nNumber of contractor systems evaluated, by FIPS-199\ncategorization (high impact, medium impact, low impact, or not\nyet categorized)                                                 High Impact:           0\n                                                                 Moderate Impact:       0\n                                                                 Low Impact:            0\n                                                                 Not yet categorized:   1\nOf those systems evaluated, number of contractor systems\ncertified and accredited, by FIPS-199 categorization             High Impact:           0\n                                                                 Moderate Impact:       0\n                                                                 Low Impact:            0\n                                                                 Not yet categorized:   0\nOf those systems evaluated, number of contractor systems with\nsecurity controls tested FY05, by FIPS-199 categorization        High Impact:           0\n                                                                 Moderate Impact:       0\n                                                                 Low Impact:            0\n                                                                 Not yet categorized:   1\nOf those systems evaluated, number of contractor systems with\ntested contingency plans, by FIPS-199 categorization             High Impact:           0\n                                                                 Moderate Impact:       0\n                                                                 Low Impact:            0\n                                                                 Not yet categorized:   0\n\nNumber of weaknesses identified in POA&M:                                               10\nNumber of weaknesses reported corrected as of 09/28/05:                                  1\n\n\n\n\n                                                - 13 -\n\n\x0c                                                      Appendix B\n\nDocumentation Used for Evaluation\n 1. CSB IT Security Plan\n 2. CIO Appointment Memo for Anna Johnson\n 3. ISO Appointment Memo for Charlie Bryant\n 4. Charlie Bryant Resume and Job Description\n 5. DN American Draft Statement of Work for CSB\n 6. CSB Staff Directory\n 7. Draft Computer Security Awareness Training\n 8. Draft Incident Reporting Policy and Procedures\n 9. Draft Incident Response Policy and Procedures\n 10. Federal Incident Reporting Guidelines\n 11. Interim Authority To Operate (IATO) for CSB\xe2\x80\x99s Three Systems\n 12. CSB Information Technology Contingency Plan\n 13. Spectra 10000 Information\n 14. DN American Server Audit\n 15. IT Department Inventory\n 16. POA&M, dated July 15, 2005 and POA&M Submission Email\n 17. Network Topology\n 18. CSB Agency Structure Chart\n 19. Sample of Windows XP Configuration Checklists\n 20. Draft Computer Security Employee Acknowledgement Form\n 21. Scheduled Training Courses for Charlie Bryant\n 22. N-Stealth External Scan Against CSB.gov\n 23. N-Stealth Internal Scan Against Exchange Email Server\n 24. Vulnerability Assessment Work Paper and Results\n 25. CSB 2004 IT Capital Plan\n 26. DN American Weekly Report\n\n\n\n\n                   - 14 -\n\n\x0c'